[dnssec-deployment] DNSSEC and certificates.

Edward Lewis Ed.Lewis at neustar.biz
Mon Jan 24 14:14:46 EST 2005

At 10:39 -0800 1/24/05, Doug Barton wrote:
>Jakob Schlyter wrote:
>>  On Sat, 22 Jan 2005, Doug Barton wrote:
>>>  The attack vector I'm most concerned about is the one where the
>>>  attacker obtains a valid certificate, and then spoofs DNS to direct
>>>  traffic to his bogus site. There is no way for the average user to
>>>  protect themselves against this attack.
>>  but there is notting we do against this attack unless we change the basic
>>  principles of X.509 as we know it.
>Nothing can be done in the X.509 world of course, but that's precisely what
>makes this attack so troublesome.

Truthfully, no one can prevent any attack.  But for the above 
scenario, it can be mitigated through the use of revocation lists.

(Okay, I'll wait for the chortling to die down.)

In this instance, the DNS administrator would have to monitor a X.509 
revocation list for each certificate used to authenticate a 
transaction request, and undo the modification it caused if the 
revocation was for malicious conduct.

This sounds fine in theory, I am of the impression that it isn't practical.

>>  DNSSEC will of course help here, but the attacker can redirect traffic in
>>  various other ways.
>Yes, but the combination of DNSSEC + X.509 makes any other attack vector
>almost prohibitively expensive.

There are routing layer attacks, and attacks like the one mentioned 
above which may have started with a "social attack" - i.e., bribing 
someone to get the certificate.  (All this is well beyond the scope 
of this group.)

>>  but why try to obtain a valid cert when the user will just accept
>>  whatever pops up on the screen?
>I don't share the same cynical view. I think that this problem is bad, but I
>don't think it's as bad as it's being made out to be. I'm also thinking of
>automated systems that run without user interaction, such as windows update,

If you want to make the pop-up have meaning, you have to present the 
user with enough *information* (not *data*) to make an worthwhile 
decision.  E.g., a green pane defaults to "go ahead" a red pane 
defaults to "stop" - more than "I got this untrusted blob" and less 
than "I got these bytes as an untrusted key: 0x2d9e..."  I'm sure 
this can be balanced out when the time comes.
Edward Lewis                                                +1-571-434-5468

"A noble spirit embiggens the smallest man." - Jebediah Springfield

More information about the Dnssec-deployment mailing list